Information security concerns for small and medium-sized businesses (SMBs) will continue to grow in 2007. SMBs will no longer be able to hide behind their smaller size and greater anonymity. Hackers and other malicious users will use ever more creative ways to hunt them down, tease them out to play and make their lives miserable.
There are six key areas SMBs need to watch in 2007 to keep their data secure and safe:
1. Hackers will aim their evil sights directly on SMBs, particularly the organized criminal gangs that have already inflicted pain and havoc on large enterprises. Attacks will be targeted at specific companies.
Attackers have discovered SMBs. They're still hitting larger enterprises, but now they're adding smaller companies to their hit lists. The perception is that the defenses of smaller companies -- their intrusion detection systems and firewalls -- aren't as sophisticated as those of larger companies and are easier to breach. Hackers also believe that with small-to-no security staffs, SMBs are easier pickings.
The hackers are the same: organized criminal gangs, mostly in Eastern Europe and the far East. Even if your company is local and not known internationally, they can find you. Big companies often have facilities around the globe, making them highly visible targets to the international hacking community. But how do they find an SMB whose only office is in your neighborhood? Attackers use the same techniques they've always used -- port scanning for open and weak networks, and now, they're searching on Google.
A local credit union in a single city, for example, is still a financial institution with money to be stolen. Today, it's just as likely to be a victim of a phishing attack as some better-known international banks with offices on every corner from Chicago to Beijing.
What are the attacks against SMBs? Attacks are becoming more targeted against specific companies. Besides spear phishing attacks against the Web sites of smaller financial institutions, there's also attempts against poorly configured Windows services and file transfer protocol and Secure Shell services. Attackers are doing their homework to learn more about the technical infrastructure of an SMB they're targeting.
SMBs are also susceptible to cyberextortion, where attackers threaten to take down a company's IT systems if they don't pay a ransom. These criminals believe smaller companies don't have the resources to fight back or go to the authorities.
Hackers also exploit SMBs to enlist their servers in botnets, huge armies of zombie computers used maliciously to spread spam, phishing sites, pornography and other Internet garbage.
What can an SMB do? Even without a dedicated information security staff, the IT departments at SMBs can fortify their firewalls, keep their systems up-to-date and patched, and make sure antivirus and antispyware software are installed on gateways, servers and desktops.
2. Security vendors of all sizes, accustomed to selling to only large companies, will tailor their products to smaller players, like SMBs.
The familiar big companies in the security market -- Cisco Systems Inc., Symantec Corp., Microsoft, IBM and VeriSign Inc. -- have traditionally worked with peers their size. Now, they have tailor-made packages for SMBs at lower -- though often still pricey -- costs.
3. Consolidation of IT security vendors will force SMBs to make strategic choices in their purchasing.
At the same time, smaller and midsized security companies saw a wave of merger and acquisition activity in 2006. IT security is a new field on the block and, as a result, the market for products is far from mature. But it's beginning to catch up and coalesce. This year, RSA Security Inc. swallowed up both Cyota and PassMark, then was taken over itself by EMC Corp. LURHQ Corp. and SecureWorks Inc. merged, as well as, IronPort Systems Inc. and PostX Corp. Expect this trend to continue in 2007.
How will it affect SMBs? Make sure to think strategically and long-term in purchasing security equipment. Ask yourself a few questions before signing any contracts: Will the new company provide the same level of customer service? Will the new company continue support for the acquired product, or will it retire it?
These are life-and-death questions for an SMB, whose whole business may be dependent on a single vendor. Larger enterprises can often work around the loss of a single vendor, since they have the size and muscle to already be working with multiple vendors.
4. SMBs will continue to rely on managed security service providers to outsource their information security functions.
The growth in this market should be steady in 2007, continuing a trend already in process among SMBs. There are many players in this space, but Houston-based Alert Logic Inc. caters strictly to SMBs.
5. Identity and access management issues, and implementation of products will remain top-of-mind for SMBs, including for removable and remote devices.
The key issues will be single sign-on and the management of remote and portable devices. SMBs, like their larger counterparts, may run a bunch of password-protected applications -- all requiring different logons. Vendors such as Imprivata Inc., RSA and Aladdin Knowledge Systems Inc. will cater to SMBs.
Data leakage from portable and remote devices, like USB keys, iPods and wireless devices can be more damaging to a smaller company where high-risk information is more likely to be concentrated in a single location. That location is also more likely to be less secure and more easily accessible to employees. Companies catering to endpoint security, like Safend Ltd., Vericept Corp. and Vontu Inc., all offer products within reach of SMBs.
6. The merciless hand of government regulation -- painful legislation like SOX and HIPAA -- will reach down from large companies into SMBs, affecting reporting, procedures and auditing.
SMBs won't be immune from the regulatory pressures put on their big brethren. Legislation like the Sarbanes-Oxley Act (SOX) is a requirement for publicly held companies. But if you're a privately held SMB and you're servicing a public company, its auditors may want to investigate your company, as well. The onus will be on you to keep records of your IT controls in top-top shape for their auditors.
The other legislative noose around healthcare companies is the Health Insurance Portability and Accountability Act (HIPAA). Like SOX, HIPAA requires stringent record keeping and control of medical records. This puts a heavy burden on IT departments, which electronically process and store such records. But, unlike SOX, this isn't just a requirement of public companies. It even affects small medical practices, textbook SMBs with little IT support.
With these trends in mind, next year promises to be an interesting, and busy, one for IT professionals at SMBs.
Joel Dubin, CISSP, is an independent computer security consultant. He is a Microsoft MVP in security, specializing in Web and application security, and is the author of The Little Black Book of Computer Security, available from Amazon. He is also The IT Security Guy, whose blog is at www.theitsecurityguy.com.